What is the Strategy Behind the Department of Defense CMMC Update?

After months of internal research, the Department of Defense (DoD) has announced its plan to update the CMMC solution program. The eight major conceptual streams of reasoning underpinning the Department of Defense’s efforts to adapt and expand the program are listed below.


Above Level 1 suppliers, CMMC 1.0 is notorious for having little supply chain visibility, particularly regarding the transmission and preservation of CUI. The supporters of the changes said that the restrictions in CMMC 1.0 were too focused on the certification’s genuine purposes, which are to preserve and strengthen the security credentials of enterprises managing such sensitive data.

The standards of CMMC 2.0 are constructed to place a higher focus on protecting intelligence deemed critical to homeland safety.


Many vendors and suppliers were perplexed by CMMC Levels 2 and 4, which served no value in establishing security requirements. In truth, DoD officials saw these as just transitory levels awarded to companies on their way to higher degrees of maturity.

CMMC 2.0 now has three layers instead of five, which better matches the level of security that the Department of Defense requires from its vendors.


The standards for Levels 1, 3, and 5 in CMMC 1.0 were established on the Federal Acquisition Regulation and the National Institute of Standards and Technology’s cybersecurity recommendations. On the other hand, levels 2 through 4 were exclusive to the CMMC and DFARS program.

All three new competence categories in CMMC 2.0 are aligned with existing cybersecurity requirements. While the standards for Level 1 stay the same, CMMC 2.0 Level 2 is entirely compliant with the security criteria of NIST SP 800-171. Likewise, Level 3 uses a version of NIST SP 800-172, eliminating the “practices” and “procedures” that were used in CMMC 1.0. These changes make it easier for contractors to match cybersecurity needs to the CMMC compliance requirements they’re moving up to.


Compared to CMMC 1.0, compliance with CMMC 2.0 is inexpensive because the evaluation criteria were deleted, removing the related engineering and evaluation costings for Levels 1, 2, and 4.

Additional cost reductions are possible under CMMC 2.0 since the Department of Defense abolished CMMC-specific methodologies and maturity standards at all levels and permitted select enterprises to self-assess.


Self-assessment is permitted under CMMC 2.0 for organizations that do not possess relevant data that is critical to the global defense. Nevertheless, for firms striving for the other subgroup of Level 2, the third-party review is essential.

For the time being, the third-party assessments will be carried out by C3PAOs. Government-led evaluation committees from the Defense Contract Management Agency’s DIB Cybersecurity Evaluation Center, or DIBCAC, will conduct third-party evaluations for Level 3.


The Office of the Under Secretary of Defense for Acquisition and Sustainment will hand over management of the whole CMMC 2.0 program to the DoD Chief Information Officer. The DoD realized how cruelly CMMC 1.0 lacked controls to avoid some skilled and ethical violations due to several erring vendors. By delegating authority to a specialist office, CMMC 2.0 strives to increase trust in the process.


A vendor may only be given the project under CMMC 1.0 if they hold the appropriate certification. CMMC 2.0, on the other hand, will allow subcontractors to request exemptions of CMMC standards for time-sensitive purchases. Only top DoD officials will be able to authorize such exemptions, and they will only be valid for a limited time. The Department of Defense claims that CMMC 2.0 will almost certainly result in speedier approvals of project-contractor matches across the board.

What is the Strategy Behind the Department of Defense CMMC Update?
Scroll to top